Digital Shadows Report Reveals that the Mirai Botnet Isn’t Going Away

Digital Shadows, a provider of cyber situational awareness, released its new report Mirai and The Future, Forecasting the DDoS Landscape in 2017. The emergence of the Mirai botnet – a type of malware that automatically finds Internet of Things (IoT) devices to infect – earlier this year was hailed as a major development in malware but according to the report, this could be a tip of the iceberg as cybercriminals rush to adapt and develop the original Mirai code.

Mirai translates from Japanese as the ‘future’ and if claims by actors such as BestBuy and Popopret are true, the total number of IoT devices infected with Mirai has increased since this malware variant was publicly released on September 30, 2016.[1]

Rick Holland, VP Strategy at Digital Shadows

“We know criminals move quickly to exploit new malware and techniques and find new ways to monetize them for profit,” said Rick Holland, VP Strategy at Digital Shadows. “So we can see a time when DDoS extortion actors have succeeded in creating new models for generating a ransom payment. Instead of solely relying on a target company, groups will use social media platforms to crowdsource the ransom payment from users who are dependent on the service,” Holland said.

Mirai botnet is part of an emerging global trend of large and complex cyberattacks that are difficult to spot and even more difficult to prevent in an increasingly digitalised world. Countries in the Middle are witnessing significant economic and technological transformation due to growing business opportunities in large industries such as banking, financial services, insurance (BFSI) and the region’s dominance in heavy industries such as oil and gas.

“As organisations and individuals in the Middle East and especially the UAE and Saudi Arabia turn increasingly towards internet enabled devices, it is even more critical there is better awareness of the problem,” said Holland. “Businesses selling Internet enables devices have to be aware of the risks and do more to secure these devices. We are consumers, need to ensure we use the same degree of Cybersecurity scrutiny and awareness as we do surfing the web from a PC.”

The Mirai botnet first discovered earlier in the summer utilizes ‘Internet-of-Things’ (IoT) devices, such as Internet-enabled digital video recorders (DVRs), surveillance cameras, and other Internet-enabled embedded devices, and has been utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services, including Talk Talk and the Post Office in the UK.

There are three main motivations behind those who use DDoS as a tactic:

Online protest, typically planned, orchestrated and launched by hacktivist groups. These campaigns have targeted specified industries and geographies, both in the private and public sector.

Financial profitability, a significant motivation for a number of actors, such as extortion actors who use the threat of DoS or DDoS in return for a ransom payment. This is largely, although not exclusively, the preserve of the cybercriminal. DDoS attacks may also be used as a distraction for network intrusions conducted for profit.

Political gain, launched by nation state affiliated actors.

Mirai has proven itself to be remarkably flexible and adaptable as a result of which hackers can develop different strains of Mirai that can take over new vulnerable IoT devices and increase the population Mirai botnets can draw on. The report suggests that 2017 is likely to see a range of new Mirai variants utilizing and adapting the original source code to target organisations and governments, by hacktivists, cybercriminals motivated by financial gain through extortion and politically motivate actors.